[Emerging-Sigs] carberp sigs

Matthew Jonkman jonkman at emergingthreatspro.com
Sat Oct 9 13:34:26 EDT 2010


How about:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN carberp check in"; flow:established,to_server; content:"POST"; http_method; content:"/set/first.html"; http_uri; content:"id="; http_client_body; content:"os="; http_client_body; content:"plist="; http_client_body; classtype:trojan-activity; sid:2011798; rev:1;)

And I'll convert back to the other engines.

Matt

On Oct 8, 2010, at 3:37 PM, Nick Randolph wrote:

> Should we add in content match for
> "POST /set/first.html"
> as well?
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN
> carberp check in"; flow:established,to_server; content:"POST
> /set/first.html"; content:"id="; http_client_body; content:"os=";
> http_client_body; content:"plist="; http_client_body;
> classtype:trojan-activity; sid:5600172; rev:1;)
> 
> 
> On 10/8/10, Eoin Miller <eoin.miller at trojanedbinaries.com> wrote:
>>  Coworker showed me this blog about carberp:
>> 
>> http://www.trustdefender.com/blog/tag/carberp/
>> 
>> Wrote a signatures to try and find infected hosts when they check-in:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN
>> carberp check in"; flow:established,to_server; content:"id=";
>> http_client_body; content:"os="; http_client_body; content:"plist=";
>> http_client_body; classtype:trojan-activity; sid:5600172; rev:1;)
>> 
>> Based on:
>> http://www.trustdefender.com/blog/wp-content/uploads/2010/10/pic3.png
>> 
>> --Eoin
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
>> Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list